I think I first encountered the idea of essentially using passwords as commands for a variety of custom actions in a Larry Niven book from the 60s? Earlier?
It must be as old as passwords, meaning as old as language, relatively straightforward to implement in any kind of software, yet I've never seen it actually implemented in all this time. Closest has been the single triggered action to wipe everything after n failures.
It's been implemented in video games, at least! The "NARPAS SWORD" password in Metroid comes to mind.
The practical issue here is that a secret password to release the hounds or whatever is only useful if someone is able to use it at the appropriate time. It's hard to memorize a password you don't use. The number of cases where a "release the hounds" password is going to be usable and useful where a "log into admin account which has a 'release the hounds' button" wouldn't be is going to be very low.
The fact that you remember the one from a videogame, makes it seem like that would be a good candidate password for this purpose. If it's used to wipe the data (which is backed up), then it shouldn't need to be as secure as a regular password. In fact, it might be preferable to be less secure so that someone trying to brute force would hit the duress password first.
Huh, my phone used to have miui, an andrdoid skin by xiaomi, installed from the factory. It featured the ability for a second user profile that could be either entered through the settings or by setting up a custom unlock pattern for entering it when unlocking the phone.
I tought this was quite a clever feature for e.g. giving your phone to your children with an isolated profile.
Because people struggle to remember even one PIN, especially if it's needed infrequently or in a stressful situation. I'm not being snarky here, it's happened to me. Could not remember my one, main PIN on one particularly stressful day. Went home, slept, and no problem the next day.
So remembering a PIN that most people will never need to use in a stressful situation? Unlikely to be useful for the majority of people.
If we had duress codes for ATM, and it’s widely known, then someone with a gun will just threaten me to not use my duress code. I’m not going to bet my life in that scenario.
It occurs to me you could do something like this by creating a dummy user and enabling a user service on login (systemd). I don't think this is the best method, because you can't predict all the ways to login without a shell. Just a neat idea for generalizing it.
I have a feeling that "Is pam_duress.so configured in any file in /etc/pam.d, and if so turn on a big red light" is a pretty trivial thing to add to those "plug the person's computer in here and have them log in to their machine to decrypt everything, otherwise they won't go through customs/leave our dingy bunker" solutions.
These duress passwords seem to be for kind of contrived scenarios, to me. Either your threat model is "someone breaks into my hotel room and steals my laptop", in which case it's useless, or "The $OpposingSideSecretService got me and hits me until I give them my password" in which case it seems to be equally useless.
Sadly (2) is a legal requirement in Australia now, too.
If asked you MUST unlock your phone and computer. So if you’re travelling here or leaving — citizen or not — you best be prepared to have your data searched for arbitrary reasons.
Maybe this shouldn't be branded purely as a security feature. There are plenty of uses for it beyond the whole duress aspect. It could be an elegant way to toggle desktop themes when you log in. Or it could give a bit of peace of mind by killing all open browser windows as you're about to log into your laptop that's hooked up to a projector.
Something like this would be great for online voting. If a voter is under duress (i.e. being watched while they vote, etc), they can enter a specific ballot unique to them that discards the ballot and allows them to re-vote in a safer environment.
Or just completely get rid of anything internet connected or electronic for voting and go back to pen and paper. Any claims that online voting can be secure should be kept far away an buried as though they were radioactive waste.
I find it hilarious that people think pen and paper voting is more secure. The introduction of electronic voting (plus security through out of state paramilitary forces) was a major factor in reducing electoral fraud in India, the world's largest democracy.
Obviously the usefulness of measures like this is likely pretty low if your dealing with tech-savvy adversaries, but if some random border guard or police officer forces you to log into your computer and — I don't know, I'm not very well-versed in these scenarios — show your Facebook messages or your password vault, you could use your duress password to clear cookies and other stuff to show that you don't have a Facebook account or a password manager ... or whatever, you get the general idea.
Or you could use it to not change anything but simply log in and additionally alert your work place that you're under duress and they can cut off your access to critical systems. Provided that you have some sort of internet access of course...
I married into an American family recently. We plan on doing a road trip through America to visit said family. I will not be taking my phone or my laptop. I will just buy something cheap over there and then donate it to charity before I leave.
Before and now after reading the article, I was immediately struck by the title that it’s astonishing this isn’t a more widely used concept. An “I’m complying” Dead Man’s Switch is a generally good idea for a lot of people for a lot of reasons. Maybe not just at a point of authentication but that’s a reasonably good place to start.
There is a legal concept called adverse inference. It is based on the premise that you wouldn't destroy evidence that would be beneficial to you. In addition to any punishment the court may decide, they introduce the spirt of the destroyed evidence and treat is as materially detrimental to your side.
There are many actors one might comply with who aren’t law enforcement and to whom you may prefer granting access to garbage rather than the thing they’re seeking. I think the vast majority of people with debit cards would be comforted with the idea of being able to give a thief a PIN which doesn’t empty their bank account… even if they never get around to setting one up. No one would think people who do are up to something nefarious. The same goes for protecting oneself from abusers in one’s home. The set of reasons one might want this are so commonplace that the most widely used devices are set up to lock or wipe on failed login attempts either by default or by easy configuration.
I've always been on the fence with technical solutions to the 'Pipe wrench' problem but one thing that I don't see mentioned that often is that there are usually many secondary keyrings unlocked by the login password (ssh auth, saved passwords, session cookies maybe, etc);
I could see a solid usecase for a duress script that clears all these and requires 'standard' reauth, so that at least you're back to a 'defence in depth' style.
Also, in the 'Pushover' example, I can't imagine many attackers waiting to plug the thing in before starting the ~pipe wrench~ credentials discussion.
The fundamental problem is that often the people who are trying to get your data are legally entitled to it, and to use physical force against you to get it. And god help you if there is any appearance that you might have deleted the data they want.
Plausible deniability may help, but only if you really can convince them that you do not have and cannot somehow access the data they want.
Readit News
It must be as old as passwords, meaning as old as language, relatively straightforward to implement in any kind of software, yet I've never seen it actually implemented in all this time. Closest has been the single triggered action to wipe everything after n failures.
The practical issue here is that a secret password to release the hounds or whatever is only useful if someone is able to use it at the appropriate time. It's hard to memorize a password you don't use. The number of cases where a "release the hounds" password is going to be usable and useful where a "log into admin account which has a 'release the hounds' button" wouldn't be is going to be very low.
I tought this was quite a clever feature for e.g. giving your phone to your children with an isolated profile.
Personally, I'm wondering why ATMs don't have this feature.
So remembering a PIN that most people will never need to use in a stressful situation? Unlikely to be useful for the majority of people.
These duress passwords seem to be for kind of contrived scenarios, to me. Either your threat model is "someone breaks into my hotel room and steals my laptop", in which case it's useless, or "The $OpposingSideSecretService got me and hits me until I give them my password" in which case it seems to be equally useless.
1. A journalist who has a legal right to protect their sources from discovery
2. A check on your encrypted electronic device at the border
3. A snooping housemate or someone else logs into your machine
That was in <30 seconds of thought on this problem.
If asked you MUST unlock your phone and computer. So if you’re travelling here or leaving — citizen or not — you best be prepared to have your data searched for arbitrary reasons.
I hate it.
— https://xkcd.com/2030/
Longer explanation: https://www.youtube.com/watch?v=w3_0x6oaDmI and https://www.youtube.com/watch?v=LkH2r-sNjQs
https://en.m.wikipedia.org/wiki/Booth_capturing
Obviously the usefulness of measures like this is likely pretty low if your dealing with tech-savvy adversaries, but if some random border guard or police officer forces you to log into your computer and — I don't know, I'm not very well-versed in these scenarios — show your Facebook messages or your password vault, you could use your duress password to clear cookies and other stuff to show that you don't have a Facebook account or a password manager ... or whatever, you get the general idea.
Or you could use it to not change anything but simply log in and additionally alert your work place that you're under duress and they can cut off your access to critical systems. Provided that you have some sort of internet access of course...
Dead Comment
I could see a solid usecase for a duress script that clears all these and requires 'standard' reauth, so that at least you're back to a 'defence in depth' style. Also, in the 'Pushover' example, I can't imagine many attackers waiting to plug the thing in before starting the ~pipe wrench~ credentials discussion.
Plausible deniability may help, but only if you really can convince them that you do not have and cannot somehow access the data they want.